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Abstract 

Bit commitment schemes are at the basis of modern cryptography. Since information- 
theoretic security is impossible both in the classical and the quantum regime, we examine com- 
putationally secure commitment schemes. In this paper we study worst-case complexity assump- 
tions that imply quantum bit-commitment schemes. First we show that QSZK % QMA implies a 
computationally hiding and statistically binding auxiliary-input quantum commitment scheme. 
We then extend our result to show that the much weaker assumption QIP % QMA (which is 
weaker than PS PACE % PP) implies the existence of auxiliary-input commitment schemes with 
quantum advice. Finally, to strengthen the plausibility of the separation QSZK % QMA we find 
a quantum oracle relative to which honest-verifier QSZK is not contained in QCMA, the class of 
languages that can be verified using a classical proof in quantum polynomial time. 

1 Introduction 

The goal of modern cryptography is to design protocols that remain secure under the weakest 
possible complexity assumptions. Such fundamental protocols include commitment schemes, au- 
thentication, one-way functions, and pseudorandom generators. All these primitives have been 
shown equivalent: for example commitment schemes imply one-way functions [131 ] and one-way 



functions imply commitments [10|, [ill, \2l 

In this paper we study complexity assumptions that imply commitment schemes, which are 
the basis for many cryptographic constructions, such as zero knowledge protocols for NP 
commitment scheme is a two-phase protocol between a sender and a receiver. In the commit phase, 
the sender interacts with the receiver so that by the end of the phase, the sender is bound to a 
specific bit, which remains hidden from the receiver until the reveal phase of the protocol, where 
the receiver learns the bit. 

There are two security conditions for such schemes: binding (the sender cannot reveal more 
than one value) and hiding (the receiver has no information about the bit before the reveal phase). 
These conditions can hold statistically, i.e. against an unbounded adversary, or computationally, i.e. 
against a polynomial-time adversary. Without further assumptions these conditions cannot both 



hold statistically 2l|, [23] 
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The main complexity assumptions that have been used for the construction of one-way functions, 
and hence commitments, involve the classes of Computational and Statistical Zero Knowledge. 



Ostrovsky and Wigderson 23] proved that if Computational Zero Knowledge (ZK) is not trivial 



then there exists a family of functions that are not 'easy to invert'. The result was extended by 



Vadhan [331 ] to show that if ZK does not equal Statistical Zero Knowledge (SZK), then there exists 
an auxiliary-input one-way function, i.e. one can construct a one-way function given an auxiliary 
input (or else advice) . Auxiliary-input cryptographic primitives are natural when considering worst- 
case complexity classes: the auxiliary input can encode a 'hard' instance of a problem known only 
to be hard in the worst case. Last, Ostrovsky and Wigderson also showed that if ZK contains a 
'hard-on-average' problem, then 'regular' one-way functions exist. 

With the advent of quantum computation and cryptography, one needs to revisit computational 
security, since many widely-used computational assumptions, such as the hardness of factoring or 
the discrete logarithm problem, become false when the adversary is a polynomial-time quantum 
machine [io| . 

In this paper, we study worst-case complexity assumptions under which quantum commitment 
schemes exist. As in the classical case, we obtain auxiliary-input commitments: commitments 
that can be constructed with classical and/or quantum advice. As our commitments are quantum, 
we define the computational security properties against quantum poly-time adversaries (who also 
receive an arbitrary quantum auxiliary input). 

Our first result, involves the class of Quantum Statistical Zero Knowledge, QSZK. 

Theorem 1.1. If QSZK % QMA there exists a non-interactive auxiliary-input quantum commit- 
ment scheme that is statistically-binding and computationally-hiding. 

Before explaining this result, let us try to see what an equivalent classical result would mean. 
At a high level, the classical statement would be of the following form: if SZK is not in MA, then 
auxiliary-input commitments exist. However, under some derandomization assumptions, we have 
that NP = MA = AM (0, ^) and since SZK C AM, we conclude that SZK C MA. Hence, the 
equivalent classical assumption is quite strong and, if one believes in derandomization, possibly 
false. 

However, in the quantum setting, it would be surprising if QSZK is actually contained in QMA. 
We know that QSZK C QIP[2] [37], where QIP[2] is the class of languages that have quantum 
interactive proofs with two messages (note that one only needs three messages to get the whole 
power of quantum interactive proofs). So far, any attempt to reduce QIP[2] or QSZK to QMA or 
find any plausible assumptions that would imply it, have not been fruitful. This seems harder than 
in the classical case. The main reason is that the verifier's message cannot be reduced to a public 
coin message nor to a pure quantum state. His message is entangled with his quantum workspace 
and this seems inherent for the class QIP[2] as well as for QSZK. It would be striking if one can 
get rid of this entanglement and reduce these classes to a single message from the prover. 

If we weaken the security condition to hold against quantum adversaries with only classical 
auxiliary input, then the above assumption also becomes weaker, i.e. QSZK 52 QCMA, where 
QCMA is the class where the quantum verifier receives a single classical message from the prover. 
We give (quantum) oracle evidence for this by showing that 

Theorem 1.2. There exists a quantum oracle A such that QSZK^ V 52 QCMA" 4 . 

Note that honest-verifier QSZKhv = QSZK j37| in the unrelativized case. Our proof of this result 
extends Aaronson and Kuperberg's result that there is a quantum oracle A such that QMA" 4 52 
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QCMA [2]. Subsequent to the completion of this work, Aaronson has shown the stronger result 
that there is an oracle A such that SZK A % QMA" 4 This result implies that our assumption 
that QSZK ^ QMA is true relative to an oracle. 

We then show the existence of commitment schemes based on a much weaker complexity as- 
sumption about quantum interactive proofs. More precisely, we look at the class QIP, which was 
first studied in [3a]. This class is believed to be much larger than QSZK. We consider this class 
and its relation to QMA to show the following 

Theorem 1.3. //QIP % QMA there exist non-interactive auxiliary-input quantum commitment 
schemes (both statistically hiding and computationally binding as well as statistically binding and 
computationally hiding) with quantum advice. 

Note, that QIP = PSPACE [11] and QMA C PP [j^], so our assumption is extremely weak, 
in fact weaker than PSPACE % PP. Of course, with such a weak assumption we get a weaker 
form of commitment: the advice is now quantum. Thus, in order for the prover and the verifier 
to efficiently perform the commitment for a security parameter n, they need to receive a classical 
auxiliary input as well as quantum advice of size polynomial in n. This quantum advice is a 
quantum state on poly(n) qubits that is not efficiently constructible (otherwise, we could have 
reduced the quantum advice to classical advice by describing the efficient circuit that produces it). 
Moreover, the quantum advice we consider does not create entanglement between the players. 

The key point behind this result is the structure of QIP. More precisely, we use the fact that 
there exists a QlP-complete problem where the protocol has only three rounds and the verifier's 
message is a single coin. The equivalent classical result would say that if three-message protocols 
with a single coin as a second message are more powerful than MA then commitments exist. Again, 
classically, if we believe that AM = MA, then this assumption is false. Taking this assumption to 
the quantum realm, it becomes 'almost' true, unless PSPACE = PP. 

All of our commitment schemes are non-interactive, a feature that is useful in many appli- 
cations. From QIP % QMA we construct both statistically hiding and computationally binding 
commitments as well as statistically binding and computationally hiding ones, whose constructions 
are conceptually different. In order to prove the security of the first construction, we prove a parallel 
repetition theorem for protocols based on the swap test that may be of independent interest. From 
the QSZK ^ QMA assumption we show here only statistically binding and computationally hiding 
commitments, but computationally binding and statistically hiding commitments can be similarly 
shown. 



2 Definitions 

In order to define the statistical distance between quantum states, we use the trace norm, given 
by ||X|| tr = trVxTx = m&xjj |tr XU\, where the maximization is taken over all unitaries of 
the appropriate size. Given one of two quantum states p, a with equal probability, the optimal 



measurement to distinguish them succeeds with probability 1/2 + \\p — o~\\ tr /4 121 ] . Note that this 
measurement is not generally efficient. 

The diamond norm is a generalization of the trace norm to quantum channels that preserves the 
distinguishability characterization. Given one of two channels Qo,Qi with equal probability, then 
the optimal distinguishing procedure that uses the channel only once succeeds with probability 
1/2 + || Qq — Qi H^/4. The diamond norm is more complicated to define than the trace norm, 
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however, as the optimal distinguishing procedure may need to use an auxiliary space of size equal 



to the input space 18], 13JJ] . For a linear map Q: L(%) — > L(/C) with an auxiliary space J- with 
dimj 7 = dim%, the diamond norm can be defined as \\Q\\ = m - ayL X£L(w&T) IIQC^OIItr/H-^'lltr- ^ ne 
inconvenient property of the diamond norm is that for some maps the maximum in the definition 
may not be achieved on a quantum state. Fortunately, in the case of the difference of two completely 
positive maps this maximum is achieved by a pure state. 



Lemma 2.1 ([29]). Let 3>0)^i : L(%) — > L(/C) be completely positive linear maps and let $ 
$o — Then, there exists a space T and a state \4>*) € J 7 ® rl such that 



|$IU = ||(1 L( P)(8)$)(|0*}(0*|)| 



tr 



Closely related to the diamond norm is a norm studied in operator theory known as the com- 
pletely bounded norm. An upper bound on this norm can be found in [28]. Since the diamond 



norm is dual to this norm, this bound may also be applied to the diamond norm. See 15( for a 



discussion of this bound and the relationship between the diamond and completely bounded norms. 
Lemma 2.2. Let <3?: L(%) — > L(/C) be a linear map, then 

MX)\\tr 



|$[| < (dimH) [|$|| tr = (dimH) sup 



tr 



In addition to these norms, we will also make use of the fidelity between two quantum states 16f] 



which is given by F(p, a) = tr \J\Jop^fo. One property that is important for the results in this 
paper is that the fidelity only increases under the application of a quantum channel. Specifically, 
tracing out a portion of two states can only increase their fidelity, i.e. for p, a density matrices on 
H ® /C, it holds that F(p, a) < F(tr K p, tr K a). 

We also make significant use of the following two properties of the fidelity. 

Lemma 2.3 ([8]). For any density matrices p and a, 1 — F(p, a) < | \\p — a\\ tv < yl — F(p, a) 2 . 

Lemma 2.4 ([H,!!!]). For any density matrices p and a, max^ (F(p, £) 2 + F(£,c) 2 ) = 1 + F(p, a). 



2.1 Quantum Interactive Complexity Classes 

The class QMA, first studied in [34]], is informally the class of all problems that can be verified by 
a quantum polynomial-time algorithm with access to a quantum proof. 

Definition 2.5. A language L is in QMA if there is poly-time quantum algorithm V (called the 
verifier ) such that 

1. if x £ L, then there exists a state p such that Pr[V(x, p) accepts] > a, 

2. if x L, then for any state p, Pi[V(x,p) accepts] < b, 

where a,b are any efficiently computable functions of \x\ with a > b with at least an inverse poly- 



nomial gap 11 H. \22\1. If p is restricted to be a classical string, the class is called QCMA. 



The class QIP, first studied in [36(, consists of those problems that can be interactively verified 
in quantum polynomial time. A recent result is that QIP = PSPACE (l4j |. 
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Definition 2.6. A language L G QIP if there is a poly-time quantum algorithm V exchanging 
quantum messages with an unbounded prover P such that for any input x 



1. if x £ L there exists a P such that, (V,P) accepts with probability at least a. 

2. if ' x G" L, then for any prover P, (V, P) accepts with probability at most b. 

As in QMA ; we require only that a > b with at least an inverse polynomial gap Jp\] - 

One key property of QIP is that any quantum interactive proof system can be simulated by one 



using only three messages 13]. This is not expected to hold in the classical case, as it would imply 
that PS PACE = AM. This property allows us to define simple problems involving quantum circuits 
that are complete for QIP. 

In what follows we consider quantum unitary circuits C that output a state in the space 0®G- 
These spaces can be different for each circuit. O corresponds to the output space and Q to the 
garbage space. For any circuit C, we define \<f>c) = C|0) in the space O <S> Q to be the output of 
the circuit before the garbage space is traced out, and p c = Trg(\(j)c}(4>c\) to be the mixed state 
output by the circuit after the garbage space is traced out. We will also consider more general 
mixed-state quantum circuits C, that on an input state a and output a quantum state, denoted 
by C{a). Unlike unitary circuits, mixed-state circuits are allowed to introduce ancillary qubits 
and trace out qubits during the computation. Note that circuits of this form can (approximately) 
represent any quantum channel. The size of a circuit C is equal to the number of gates in the 
circuit plus the number of qubits used by the circuit, denoted |C|. We will also use \H\ to refer to 
the size of a Hilbert space % i.e. \TL\ = |~log 2 dim "H] . We use L('H) to refer to the set of all linear 
operators on H, and D("H) to denote the subset of these operators that are density matrices. We 
consider two complete problems for QIP. 

Definition 2.7 (QCD Problem). Let p be a negligible function. We define the promise problem 
QCD = {QCDy, QCD^y} with input two mixed-state quantum circuits Cq,C\ of size n as 

• (C , C x ) G QCDy & || C - Ci |U > 2 - M (n) 

• (C ,Ci)eQCD^||C -Ci|| o <M(n) 

Definition 2.8 (n Problem). Let fi be a negligible function. We define the promise problem 
II = {ny,ITv} with input two mixed-state quantum circuits Co,Ci of size n, where for each i 
d : D(X (8) y) -> {0,1}, as 

• (C , Ci) £n y ^ 3p°, p 1 G ~D(X (8) y) with tr x (p°) = tr^^p 1 ) such that 

i(Pr[C (p°) = l]+Pr[C 1 ( / 9 1 ) = l]) = l 

• (C , Ci) G n^v ^ Vp°, p 1 G B(X y) with tr x (p°) = tr^ip 1 ) we have 

~ (Pr[C (p°) = 1] + Prldtp 1 ) = 1]) < \ + p(n) 
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QCD is QlP-complete 12911 . The Q IP-completeness of II follows from a characterization of QIP due 
to Mariott and Watrous [22| that states that any problem in QIP has a three message protocol where 
the challenge from the Verifier consists of a single coin flip. We may also assume that this protocol 
has perfect completeness and soundness error negligibly larger than 1/2. Taking the circuits Cq 
and C\ as the final circuit of the Verifier in such a proof system when the challenge is either or 1 
results in an instance of the problem II. The Q IP-completeness of II then follows directly from the 
completeness and soundness conditions on the proof system. 

The complexity class QSZK, introduced in [jjH], is the class of all problems that can be inter- 
actively verified by a quantum verifier who learns nothing beyond the truth of the assertion being 
verified. In the case that the verifier is honest, i.e. does not deviate from the protocol in an attempt 
to gain information, this class can be defined as 

Definition 2.9. A language L E QSZKhv if 

1. There is a quantum interactive proof system for L. 

2. If x E L, the state of the verifier in this proof system after the sending of each message can 
be approximated, within negligible trace distance, by a polynomial-time preparable quantum 
state. 

If we insist that item [2] holds when the Verifier departs from the protocol, the result is the 



class QSZK. Watrous has shown that QSZKhv = QSZK 37]. This class has complete problems. 



We use the following QSZK-complete problem 35]. 



Definition 2.10 (QSD Problem). Let fi be a negligible function. QSD = {QSDy,QSD^} is the 
promise problem on input {Cq,C\), unitary circuits of size n with m output qubits, such that 



(Co, Ci) E QSDy & \\p c ° - p°i II. > 2 - M (n) 



tr 



• (C , Ci) E QSD^ & Hp 1 * - || tr < p,(n) 

2.2 Quantum Computational Distinguishability 

The following definitions may be found in [371 ] . 



Definition 2.11. Two mixed states p° and p 1 on m qubits are (s, k, e)- distinguishable if there 
exists a mixed state a on k qubits and a quantum circuit D of size s that performs a two-outcome 
measurement on (m + k) qubits, such that \ Pr[D(p° ® a) = 1] — Pr[Z)(/3 1 a) = 1]| > e. If p and 
p 1 are not (s, k, e)- distinguishable, then they are (s, k, e) -indistinguishable. 

Let / C {0, 1}* and let an auxiliary-input state ensemble be a collection of mixed states {p x }xei 
on qubits for polynomial r with the property that p x can be efficiently generated given x. 

Definition 2.12. Two auxiliary-input state ensembles {p x } and {p x } on I are quantum compu- 
tationally indistinguishable if for all polynomials p,s,k and for all but finitely many x £ I, p x 
and p\ are (s(\x\),k(\x\),l/p(\x\)) -indistinguishable. Ensembles {p x } and {p x } on I are quantum 
computationally distinguishable if there exist polynomials p, s, k such that for all x E /, p x and p\ 
are (s(|x|), l/p(\x\)) -distinguishable. 
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At first glance these definitions of distinguishability and indistinguishability are not comple- 
mentary. We require distinguishability for all x G /, but require indistinguishability in only all 
but finitely many x £ I. This is because \x\ will be our security parameter, and so while a 
polynomially-bounded adversary may be able to distinguish the two ensembles for a finite num- 
ber of (small) values of \x\, as the parameter grows no efficient algorithm can distinguish the two 
ensembles. 

Key to this definition is that if two ensembles are computationally distinguishable, then for all 
x there exists an efficient procedure in \x\ that distinguishes p x and p l x with probability at least 
1/2 + Note that this is not a uniform procedure: the circuit that distinguishes the two 

states may depend on x. 

Definition 2.13. Two auxiliary-input state ensembles {p x } and {p x } on I are quantum statistically 
indistinguishable if for any polynomial p and for all but finitely many x € /, ||p° — Px\\ tl < l/p(|x|). 

Definition 2.14. Two admissible super operators $° and $ x from t qubits to m qubits are (s,k,e)- 
distinguishable if there exists a mixed state a on t + k qubits and a quantum circuit D of size s 
that performs a two-outcome measurement on (m + k) qubits, such that | Pr[D((<J>° ® lfc)(cr)) = 
1] — Pr[D((<l> 1 ® lfc)(cr)) = 1]| > e, where denotes the identity superoperator on k qubits. If the 
superoperators $° and are not (s, k, e)- distinguishable, then they are (s, k, e) -indistinguishable. 

Let I C {0, 1}* and let an auxiliary-input superoperator ensemble be a collection of superoper- 
ators {& x }xei from q(\x\) to r(\x\) qubits for some polynomials q,r, where as in the case of states, 
given x the superoperators can be performed efficiently in \x\. 

Definition 2.15. Two auxiliary-input superoperator ensembles {& x } and {& x } on I are quantum 
computationally indistinguishable if for all polynomials p, s, k and for all but finitely many x £ I, 
& x and <fr x are (s(\x\), k(\x\), l/p(\x\)) -indistinguishable. Auxiliary-input ensembles {& x } and {& x } 
on I are quantum computationally distinguishable if there exist polynomials p, s, k such that for all 
x € /, Q x and & x are (s(\x\), k(\x\), l/p(\x\))- distinguishable. 

If two superoperator ensembles are computationally distinguishable then there is an efficient 
(nonuniform) procedure (in |x|) to distinguish them with probability at least 1/2 + l/p(|x|) for 
some polynomial p. If the property of being (s, k, e)-indistinguishable holds for all (unbounded) s 
and all polynomial k,l/e, then we call an ensemble statistically indistinguishable. Note that these 
definitions provide a strong quantum analogue of the classical non-uniform notion of computational 
indistinguishability, since the non-uniformity includes an arbitrary quantum state as advice to the 
distinguisher. 

We define a new notion that we will use later on. Intuitively, two circuits that take input in 
the space X % y and output a single bit are witnessable if there exist two input states that are 
identical on y and are accepted by the two circuits with high probability. 

Definition 2.16. Two superoperators <I> and from L(X ® y) to a single bit are (s,k,p)- 
witnessable if there exist two input states p° , p 1 € \,{X (8> y) such that 

1. i (Pr[$ V) = 1] + Pr[$ V) = 1]) > 1/2 + l/p(n) 

2. there exists a state a G L(W ® X ® y) with \W\ = k and tryyd = po, and an admissible 
superoperator ^ : L(>V(8) X) — > L(^) of size s, such that p 1 = (^ ® l L (y))(cr) where Il(^) 
denotes the identity on h(y). 
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If and <3? 1 are not (s, k, p) -witnessable, then they are (s, k,p)-unwitnessable. 

Let / C {0, 1}* and let an auxiliary-input superoperator ensemble be a collection of superoperators 
{&x}xei from q(\x\) to 1 bit for a polynomial q, where given x the superoperators can be performed 
efficiently in \x\. 

Definition 2.17. Auxiliary-input superoperator ensembles {& x } and {& x } on I are quantum 
computationally witnessable if there are polynomials s,k,p such that for all x £ I, Q x and 
are (s(\x\), k(\x\),p(\x\)) -witnessable. Ensembles {Q x } and {& x } on I are quantum computation- 
ally unwitnessable if for all polynomials s,k,p and all but finitely many x £ /, & x and <& l x are 
(s(\x\), k(\x\) , p(\x\)) -unwitnessable. 

2.3 Quantum Commitments 

Definition 2.18. A quantum commitment scheme (resp. with quantum advice) is an interactive 
protocol Com = (S, R) with the following properties 

• The sender S and the receiver R have common input a security parameter l n (resp. both S 
and R have a copy of a quantum state \<p) of poly (n) qubits). The sender has private input 
the bit b £ {0,1} to be committed. Both S and R are quantum algorithms that run in time 
poly(ra) that may exchange quantum messages. 

• In the commit phase, S interacts with R in order to commit to b. 

• In the reveal phase, S interacts with R in order to reveal b. R decides to accept or reject 
depending on the revealed value of b and his final state. We say that S reveals b, if R accepts 
the revealed value. In the honest case, R always accepts. 

A commitment scheme is non-interactive if the commit and the reveal phase each consist of a 
single message from S to R. When the commit phase is non-interactive, we call p b s the state sent 
by the honest sender during the commit phase when his bit is b. 

Definition 2.19. A non-interactive auxiliary-input quantum commitment scheme (with quantum 
advice) on / is a collection of non-interactive quantum commitment schemes (with advice) C = 
{Com x = (S x ,R x )} xeI such that 

• there exists a quantum circuit Q of size polynomial in \x\, that given as input x for any 
x £ I, can apply the same maps that S x and R x apply during the commitment scheme in time 
polynomial in \x\. 

• (statistically /computationally hiding) the two auxiliary-input state ensembles sent by the hon- 
est sender when committing to or 1, which are given by {p® Sx }xei an d {Ps x }x<=i, are quantum 
statistically /computationally indistinguishable. 

• (statistically /computationally binding) for all but finitely many x £ I, for all polynomial p 
and for any unbounded/polynomial dishonest senders S x Q , S x l that send the same state in 
the commit phase 



PS; 




2 p(|x|) 



1 1 
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When referring to a commitment scheme, we will use the (b s , h c ) and (b c , h s ) to denote schemes 
that are statistically binding and computationally hiding and schemes that are computationally 
binding and statistically hiding, respectively. 

At a high level, the distinction between the two notions, without or with quantum advice, is the 
following. We can assume that the two players decide to perform a commitment scheme and agree 
on a security parameter n. Then, in the first case, a trusted party can give them the description 
of the circuits (Co,Ci) so that the players can perform the commitment scheme themselves. One 
can think of the string (Cq,C\) as classical advice to the players. In the second case, the trusted 
party gives them the description of the circuits, as well as one copy of a quantum state each. This 
quantum state is of polynomial size, however it is not efficiently constructible, otherwise the trusted 
party could have given the players the classical description of the circuit that constructs it. Hence, 
in the second notion the players receive both classical and quantum advice. 



3 Quantum Commitments Unless QSZK C QMA 

The idea of the proof is to start from pairs of circuits (Co,C\) which are in QSDy which means 
that their mixed state outputs p Co and p Cl are statistically far from each other. We want to 
use p Cb as a commitment state for the bit b. Since the states are statistically far away, such a 
commitment will be statistically binding. For the hiding property, we distinguish two cases. If the 
Receiver can distinguish in polynomial time (with some quantum auxiliary input) the two states 
for all but finitely many such pairs of circuits then we show that QSZK C QMA. If the Receiver 
cannot distinguish the two states for an infinite set I of pairs of circuits, we show how to construct 
a non-interactive auxiliary-input quantum (b s , /i c )-commitment scheme on I. More formally: 

Theorem 11.11 If QSZK ^ QMA, then there exists a non-interactive auxiliary-input quantum 
(b s ,h c )- commitment scheme on an infinite set I. 

Proof. First, we show the following 

Lemma 3.1. //QSZK ^ QMA then there exist two auxiliary-input state ensembles that are quantum 
computationally indistinguishable on an infinite set I. 

Proof. Let us consider the complete problem QSD = {QSDyjQSD^} for QSZKhv- We may 



restrict attention to the honest verifier case, since it is known that QSZK = QSZKhv 37]. Let 
n = |(Cb,Ci)| and define \4>c b ) = d(|0)) in the space O <g> Q to be the entire output state of the 
circuit on input |0) and p^ o c % = Trg(\(j)c b }(4>c b \) be the output of circuit Cj, on m(n) qubits for 
a polynomial m. 

Recall that the set QSDy consists of pairs of circuits (Co, Ci), such that the trace norm satisfies 
ll^(C Ci) ~~ P(C Ci) lltr — ^ — p{n). We now consider the two auxiliary-input state ensembles 
{P(Co &)} anc ^ {P(Co Ci)} ^ or (^O)Ci) G QSDy. Assume for contradiction that they are quantum 
computationally distinguishable on QSDy, i.e. for some polynomials p,s,k and for all (Cq,C\) G 
QSDy, the states p^ o c ^ and p,^ c s are (s(n),k(n), l/p(n) ^distinguishable. In other words, for 
polynomials p, s, k and for all (Co, C\) G QSDy there exists a state a on k(n) qubits and a quantum 
circuit Q of size s(n) that performs a two-outcome measurement on m(n) + k(n) qubits, such that 

| Pt[Q{ P °° c , ® a) = 1] - Pr[Q0& CA 8) a) = 1]| > 
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We now claim that this implies that QSZK C QMA, which is a contradiction. For any input (Co, C\) 
the prover can send the classical polynomial size description of Q to the verifier as well as the mixed 
state a with polynomial number of qubits. Then, for all (Cq,Cx) G QSDy, the verifier with the 
help of Q and a can distinguish between the two circuits with probability at least 1/2 + l/(2p(n)). 
On the other hand, for all {Cq,C\) G QSDjy, no matter what Q and a the prover sends, since 
Wp^Cq Ci) ~~ P(C C%) lltr — * ne verifier can only distinguish the two circuits with probability at 
most 1/2 + [i{n)/2. This implies that there is an inverse polynomial gap between the acceptance 



probabilities in the two cases. By applying standard error reduction tools for QMA [19 . l22j |. we 
obtain a QMA protocol to solve QSD. 

This implies that if QSZK 52 QCMA then there exists a non empty set I C QSDy such that 
the two auxiliary-input state ensembles {p^c d)^ and {P(C C?i)} are Quantum computationally 
indistinguishable on /. Notice that we may take the set I to be infinite, since if / is finite, then 
by hard-wiring this finite number of instances into the QMA verifier (who always accepts these 
instances), we have again that QSZK C QMA. □ 

We now show how to construct a commitment scheme from these ensembles. 

Lemma 3.2. The two auxiliary-input state ensembles given by {P(q q ci)}(Ca,Ci)eI an( ^ {P(c cV)}(Cb,Ci)er 
that are computationally indistinguishable on the infinite set I imply a non-interactive auxiliary- 
input quantum (b s ,h c )- commitment scheme on I. 

Proof. For each (Co, C\) £ I we define a scheme with security parameter n = \(Cq, Ci) | . 

• Commit phase: To commit to bit b, the sender S runs the quantum circuit C with input |0) 
to create \4>c b ) = C&(|0)) and sends c s to the receiver R, which is the portion of \<fic b ) 
in the space O. 

• Reveal phase: To reveal bit 6, the sender S sends the remaining qubits of the state \(f>c b ) to 
the receiver R, which lie in the space Q (the honest sender sends = C&|0}). The receiver 
applies the circuit C^ on his entire state and then measures all his qubits in the computational 
basis. He accepts if and only if the outcome is |0). 

Note that all operations of the sender and the receiver in the above protocol can be computed in 
time polynomial in n given the input (Co, Ci), including the receiver's test during the reveal phase. 
The protocol is computationally hiding since {p^ Q Cl \} and {p^ Cl \} are quantum computationally 
indistinguishable. 

The fact that the protocol is statistically binding follows from the fact that for the states 

{P%,Ci)} and {/feW)} ( for ( C o, Ci) G / C QSDy) we know that ||pg A) -pg 0)Cl) lltr > 2-^(n), 
for a negligible function \x. More precisely, if ^ is the total quantum state sent by a dishonest sender 
S* in the commit and reveal phases of the protocol, then the probability that £ can be revealed as 
the bit b is 

Pr[S* reveals b from £] = tr(|0)(0|C^C fe ) = F(C,|0>,£) 2 < F(pg o Ci) , tig £) 2 
using the monotonicity of the fidelity with respect to the partial trace. This calculation follows the 



proof of Watrous that QSZK is closed under complementation 35j. In what follows we consider a 
dishonest sender that, after the commit phase, sends one of two different states in the reveal phase, 
so the state held by the Receiver is either £o or £i- Notice that in either case the Sender sends the 
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same state in the commit phase, so that we have trg£o = trg£i = 7 for some 7 € D(O). Using 
this, as well as the previous equation and properties of the fidelity 
1 

P s * = — (Pt[S* reveals 6 = from £0] + PrfS 1 * reveals 6 = 1 from £1]) 



< max 

7£D(e>) 



The final inequality follows from the relationship between the fidelity and the trace norm as well 
as the fact that ||p^ Q q\ — p^ c 1 )l|tr > 2 — fJ,(n). This implies that the protocol is statistically 
binding. □ 

By combining the above Lemmas: if QSZK % QMA, then there exists a non-interactive auxiliary- 
input quantum (6 S , /i c )-commitment scheme on an infinite set /. □ 

If we are willing to relax the indistinguishability condition, i.e. enforce the indistinguishability 
against a quantum algorithm that has only classical auxiliary input (i.e. get rid of a in Defini- 
tion [27TTJ) , then the condition becomes QSZK % QCMA. In Section [6] we give oracle evidence that 
this this condition is true. Notice also that the result of Crepeau, Legare, and Salvail |3] allows this 
commitment scheme to be used as a subroutine to construct a scheme that is statistically hiding 
and computationally binding. 



4 Quantum (b s , /^-commitments unless QIP C QMA 

First, let us note that QIP C QMA implies that PS PACE C PP which is widely believed not to 
be true. Hence, the commitments we exhibit are based on a very weak assumption. Using this 
weaker assumption, we obtain a weaker commitment scheme, in the sense that it requires quantum 
advice. Note that our definitions of security are against quantum adversaries that also receive 
arbitrary quantum advice, hence our honest players are never more powerful than the dishonest 
ones. Moreover, the quantum advice does not create entanglement between the two players. 

In our first construction, we start from pairs of circuits {Qo,Qi) in QCDy which means that 
there is a common input \<j)*) such that their outputs p®° and p® 1 are statistically far from each 
other. We use p^ b as a commitment state for 6. The quantum advice needed for the commitment is 
the following: the Sender receives a copy of \4>*} to create the states p®° and p® 1 and the Receiver 
also gets a copy of \<p*) to check via a SWAP test that the Sender did not cheat. Using the fact 
that the states are statistically far apart and a parallel repetition theorem for our swap-test based 
protocol we obtain negligible binding error. Similarly to the QSZK construction, we show that if 
QCD cannot be solved in QMA then our scheme is also computationally hiding. 

The remainder of this section provides the proof of this result. As a first step, we give a scheme 
with constant binding error based on the swap test (see [f| for an exposition of the swap test). 
Following this result, we prove a parallel repetition theorem for non-interactive swap-test based 
protocols, which we then use to obtain a scheme with negligible error. 

Proposition 4.1. // QIP QMA, then there exists a non-interactive auxiliary-input quantum 
(6 s ,h c )- commitment scheme with quantum advice on an infinite set I. This scheme has constant 
binding error. 
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Proof. We first show the following 

Lemma 4.2. //QIP % QMA, there exist two auxiliary-input superoperator ensembles {Q°}(go,Q 1 )e/ 
and {Q 1 }(Qo i Qi) g / that are quantum computationally indistinguishable on an infinite set I. 

Proof. Suppose QIP % QMA. Let us consider the complete problem QCD for QIP with input the 
mixed-state circuits (Q ,^ 1 ). Let n = \{Q°,Q )|. Let I denote the input space, O the output 
space and Q the output garbage space of the circuits Q°, Q . 

Consider the set QCDy, whose elements are pairs of circuits (Q^Q 1 ), such that the dia- 
mond norm satisfies || Q° — Q 1 1| > 2 — fi(n), and the two auxiliary-input superoperator ensembles 
{ < 3°}(Q°,Q 1 )eQCD y an d {Q 1 }(QO Qi) g Q CDy • Assume for contradiction that they are quantum com- 
putationally distinguishable on QCDy, i.e. for some polynomials p,s,k and all (Q ,^? 1 ) £ QSDy, 
the superoperators Q° and Q 1 are (s(n), k(n), l/p(ra))-distinguishable. In other words, for polyno- 
mials p, s, k and for all (Q°, Q 1 ) € QSDy there exists a mixed state a on tin) + k(n) qubits and a 
quantum circuit D of size s(n) that performs a two-outcome measurement on (m(n) + k(n)) qubits, 
such that 

| Pr[D((Q° ® l k )(a)) = 1] - Pr[D((Q 1 ® l fe )(a)) = 1]| > -L 

We now claim that this implies that QIP C QMA, which is a contradiction. For any input (Q ,^ 1 ) 
the QMA-prover can send to the verifier the classical polynomial size description of D as well as 
the mixed state a with poly(n) qubits. Then, for all (Q ,^ 1 ) G QCDy, the verifier with the help 
of D and a can distinguish between the two circuits with probability higher than 1/2 + l/(2p(n)). 
On the other hand, for all {Q G ,Q l ) G QCDjy, no matter what D and a the prover sends, since 
| Q° — Q 1 ^ < M n ) the verifier can only distinguish the two circuits with probability at most 
1/2 + jj,(n)/2. Hence, there is at least an inverse polynomial gap between the two probabilities, so 
we can use error reduction Jji, 22] to obtain a QMA protocol that solves QCD with high probability. 



Thus QIP ^ QMA implies that there exists a non-empty set I C QCDy and two auxiliary-input 
superoperator ensembles {Q°}(Q0 j( 3i) g QCD an d {Q 1 }(Q0,Q 1 )gQCD which are quantum computa- 
tionally indistinguishable on /. Once again, the set / must be infinite, as if / is finite then by 
hard-wiring this finite number of instances into the QMA verifier (who always accepts these in- 
stances), we have again that QIP C QMA. □ 

We now need to show how to construct a commitment scheme on I based on these indistin- 
guishable superoperator ensembles. The protocol we obtain has only constant binding error: the 
average of the probability of successfully revealing and the probability of successfully revealing 
1 is negligibly larger than 3/4. Following this Lemma we prove a parallel repetition result for this 
protocol that reduces this error to a negligible function. 

Lemma 4.3. The two auxiliary-input superoperator ensembles {Q°}(QO ) Qi) e j and {Q 1 }(Q0,Q 1 )e/> 
which are quantum computationally indistinguishable on the infinite set I C QCDy, imply a non- 
interactive auxiliary-input quantum (b s ,h c )- commitment scheme with quantum advice on I. This 
protocol has constant binding error. 

Proof. For every (Q°, Q 1 ) £ I we define a quantum commitment scheme with quantum advice. For 
convenience we let U b be the unitary operation that simulates the admissible map Q b , in other 



12 



words we have that Q b (p) = tr<5 U b (p(& |0)(0|)(?7 fe )t. Note that any Q b can be efficiently converted 
to a unitary circuit U b . Let also \<f>*) be the pure state from Lemma |2.1|, such that 




i 



o 



(Il(j-) ® {Q - Q ))(\<t>*)(<f>*\) 



tr 



• Define n = \(Q°, Q 1 )] to be the security parameter. S and R also receive as advice a copy of 
the state \<j>*) on poly(n) qubits. 

• Commit phase: To commit to bit 6, the sender S runs the quantum circuit 1 jr U b with 
input |(/)*)|0). The entire output of the circuit is a state in the space J 7 <S> O <g> Q. The sender 
then sends the qubits in the space O (g) T to the receiver R. 

• Reveal phase: To reveal bit b, the sender S sends the remaining qubits of the state (Ijr <S> 
U b )(\4>*) |0)) in the space Q to the receiver R. The receiver first applies the operation \jr®(JJ b ^ 
to the entire state he received from the sender and then performs a swap test between this 
state and his copy of |</>*)|0). 

Let us analyze the above scheme. First, note that all operations of the sender and the receiver 
in the above protocol can be computed in time polynomial in n given the input {Q°,Q l ). This 
includes the receiver's test during the reveal phase, since given a description of a unitary circuit it 
can be inverted by simply taking the inverse of each gate and running the circuit in reverse and 
the swap test is also efficient. 

The protocol is computationally hiding since the superoperators Q° and Q 1 are quantum com- 
putationally indistinguishable. 

The fact that the protocol is statistically binding (with constant error) follows from the fact 
that we have || Q° - Q 1 )^ > 2 - fi(n) for a negligible function /i. More precisely, let a b be the 
state sent by the sender with tig a = trg a 1 = oqt (the honest sender sends the pure state 
(l T (g)U b )(\(f)*}\0))). Then the receiver accepts if and only if the output of (1 T (U b )^)a b (tjr (g)U b ) 
and his copy of |^»*)|0) pass the swap test. This probability is equal to 



where we have used the fact that the swap test on a state p <8> o returns the symmetric outcome 
with probability | + \ tr per, as well as the monotonicity of the fidelity with respect to the partial 
trace. 




= - + - F((V ® U b ){WW\ ® |0)(0|)(V ® (U b H a b f 

< l -+ l -¥{\ T ®Q b {\ ( t ) *)m)M g a b ) 2 

<i + iF(V®Q b (|0*)(0*|),a^) 2 
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Using this calculation, the binding property of the protocol is given by 




<\ + \ (F(V ® Q°(\4>*)(4>*\), tig a) 2 + F(lj: ® Q\\4>*){4>* \),tr g a) 2 ) 
< I + I (1 + F(V ® Q°(|<f }<<f |), V ® Q 1 (|0*><0*|))) 



< 3 y//x(w) 
~4 4 



where we have used Lemma 12. II and Lemma 12.41 



□ 



From the above two Lemmata, we have that if QIP % QMA, then there exists a non-interactive 
auxiliary-input quantum (b s , /i c )-commitment scheme with quantum advice on an infinite set /, 



In the remainder of this section we show how to reduce the cheating probability of the sender 
to 1/2 + neg(n). To do this, we will use parallel repetition of the above protocol. 

Proposition 4.4. Consider a k-fold repetition of the above bit commitment protocol. This is a 
non-interactive auxiliary-input quantum (b s ,h c )- commitment scheme with quantum advice on I. 

Proof. The two things we have to make sure of is that the computationally hiding property remains 
under parallel repetition and that the cheating probability of the sender decreases as a negligible 
function in k. To show that the protocol is computationally hiding, we use the following Lemma. 

Lemma 4.5 ([13]). Suppose that p\, . . . p n and £i, . . . , £ n are m-qubit states such that pi <8> • • • <8> p n 

and £x <8> • • • <8> £n are (s, k, e)-distinguishable. Then there exists at least one choice of j G {1, . . . , n} 
for which pj and are (s, (n — l)m + k, e /n) -distinguishable. 

From this Lemma, we easily have that if the superoperators Qq and Qi are quantum com- 
putationally indistinguishable then the output states of the superoperators Q® k and Qf k applied 
to any product state are quantum computationally indistinguishable for any k of polynomial size. 
This proves that the repeated protocol remains computationally hiding, since the honest Sender 
prepares a product state. 

We now need to prove that the statistical binding property decreases to 1/2 + neg(n). We first 
prove the following Lemma that applies to the ideal case, i.e. the Receiver applies the swap test to 
one of two states with orthogonal reduced states. The calculation that this strategy (approximately) 
generalizes to the case of states that are almost orthogonal states follows the proof of the Lemma. 

Lemma 4.6. Let \4>o),\4>i) £ A® 13 be states such that trg |<^o)(<^o| an d t r S \4>i)(4>i\ are orthogonal, 
and let po, p\ be two states on (A <S> B)® k = Ai ® B\ (8) • • • (8) Ak <8> such that 



with constant binding error. 



□ 



tre 1( g)...®B k po = tiBi®-®Bk Pi- 



Consider the following test: 



Test b: Take k copies of \4>b) and apply for each i E {1, . . . , k} the swap test 
between each copy and the state in Ai® Bi. Accept if all the swap tests accept. 
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For any po and p\ with equal reduced states on Ai (8> • • • <S> Ak, we have 
— (Pr[po passes Test 0] + Pr[pi passes Test !])<- + 



Proof. We prove the result by induction on A;. For k = 1. We have 

Pr[ph passes Test 6] = 1/2 + (<^,|pb|(^,)/2 

= l/2 + F(|0 6 )(0 b |,p 6 ) 2 /2 

< l/2 + F(tr B |0 6 )(0 6 |,tr B p 6 ) 2 /2. 

Since tr B po = tr B pi, this implies that 

- (Prfpo passes Test 0] + Pr[pi passes Test 1]) 

< i + i(F(tr e |</>o)(<Ao|,tr B po) 2 +F(tr B |0 1 )(0 1 |,tr B p 1 ) 2 ) 

< I + 1(1 + F(tr B |0o>(0o|,tr B |<Ai)(<Ai|)) = | 

since the reduced states of |^>o) 5 \4>i) are orthogonal. 

Now we suppose the Lemma is true for k and show it for k + 1. For convenience we set 
Si = Ai®Bi. We take a reference space 1Z of sufficient size to consider purifications of po and p\. 
Let p& = tr^ \tpb) be these (arbitrary) purifications. Using this notation, we write 

n 

\lpo) = ao|^o)5i|fio)5 2 ®-«l5 fc+ i®7i + "l|</ , l)Si|^l)s 2 Cg>---®S fc+1 (g>7£ + «2 ^ |<fo)|^i) (1) 

i=2 

and 

n 

= /3o|0o}Si|ro)s 2 ®-®5fc+i®7?. + /3l|0l)5i|ri)s 2 ®-®5 fc+ i®7?. + #2 |0i)|Pi) ( 2 ) 

i=2 

where each \<pi), \ 4>j) are orthogonal for i ^ j (for |0q) and |(/>i) this follows from the fact that the 
reduced states on Ai are orthogonal). Since the goal is to pass swap tests with |0o) and \<pi), we 
can easily see that we can take ai = $2 = without loss of generality, since this state will only 
have larger probability of passing the tests. As one final notational convenience, let pi = \ai\ 2 and 

Before we analyze the probability that the swap tests pass, we show that the probabilities po 
and q± satisfy po + q% < 1. By Equation (pQ) we have 

po = \a \ 2 = tr((|0o><0o| ® l)l^o)(^o|) 

<F(|0o)(0o|,tr 52 ...5 fe+1 ^|^o)(^o|) 2 
< F(tr Bl |0 o )(0o|,tr Bl 

M>>M>I) • 

By a similar calculation, we have 

qi = |/3i| 2 < F(tr Bl \4>i}(4>i\,tr BlS2 ,„ Sk+in |^i)(V>i|) 2 - 
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Then, using the fact that t^B 1 s 2 ...s k+1 n\' t Po){' l Po\ = ^B 1 S2...s k+1 Tl\'4'i){' l Pi\, as we U as the fact that 
t r Si |0o)(0o| and tr^ |0i)(</>i| are orthogonal, we have 

Po + qi < F(tr Bl \(f>o){(f>o\,tiB 1 S2...S k+1 -R \tpo) {ipo\) 2 + F(tr Bl \(f>i){(/>i\,tTB 1 S2...S k+1 n \ipi) {4>i\) 2 
< l + F(tr Bl |0 o )(0o|,tr Bl |^i)(0i|) 

= 1- (3) 

We now analyze the probability that the swap tests pass. Consider applying test on \ij)o)- 
When applying the swap test between \<fio) and \4>o), the result is the state |O)|0o)|</>o) where the first 
register corresponds to the acceptance of the swap test (0 corresponds to accept). When applying 
the swap test between the two states \4>o) and \<fri), the result before measuring the first qubit is 

±= (|O)(|0 o )|0i) + \4>i)\<Po)) + |l>(|*o>|*i> - l<MI<Ao») • 

So the swap test on the space S\ accepts with probability p + p\/2. Conditioned on this test 
passing, we have the state: 

i : ao|^o)|^o)|no)5a®-®5*+iW + -/=(|0O>|01> + l^l)l<M)|^l)s 2 ®-®S fc+1 7?, 

\/Po +P1/2 L V2 

Discarding the first system results in the state in £2 <8> • • • <8> Sk+i <8> 71 (using orthogonality of |0o) 
and |0i)) given by 



a = 



pi 

Po mwni , T 



l«o><«ol h — f-pj-iniXnil 



P0 + it PO + ^ 



2 1 2 

Let 7o(£) be the probability that a state £ 6 52<X>- • -<8)«5fc + i(8)^ passes all swap tests in 520- • -<8><Sfc+i 
with |0q). We include the space 71 for convenience only: notice that the choice of purification in 
the space 71 has no effect on this probability. Using this notation, we have 

/ El 

Pr[p passes Test 0] = ( Po + ^) ■ — ^^Tq (l^oX^ol ) + —^Todd^l) 

1 \Po + %- Po + %- 

= po2b(|n )(nol) + yTo(|ni)(ni|) 

Similarly, we define Ti(£) for any £ and we have 

Pr[ Pl passes Test 1] = ^T\(|r > <r |) + giTi(|ri)(ri|) 



which gives us 



P = - (Pr[po passes Test 0] + Pr[pi passes Test 1]) 



= \ (poro(inoxnoi) + ^Todnxxnxi) + f TiaroXrol) + qi T 1 (\si 1 )(n 1 \)) (4) 

Consider the states £o = Po|^o)(^o| and £1 = 9o|Po)(Po| +<?i|Pi)(Pi|- These states are 

obtained from po and pi by discarding the system in S\. This implies that they have the properties 
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in the statement of the Lemma, i.e. the reduced states of £o and x\ on Ai ® • • • ® -4fc+i are equal. 
Thus, by induction, we know that 5 C?b(£o) + ^i(Ci)) < \ + offi' This means that: 

l - (poTodfioXfiol) +PiT (|ni)(ni|) + go Zi(|ro><ro|) + giri(|r a )(ri|)) < i + -L 

Using this, as well as Equation Q, we have 

p = i(poro(|Oo)(Oo|) + |r (|fi 1 )(n 1 |) + |r 1 (|ro)(r |) + 9 ir 1 (|r 1 )(r 1 |)) 

= j + aiS3 + j r o(|no><no|) + |ri(|ri>{ri|) 
1 1 

- 2 + 2^+2' 

where the final inequality is by Equation (j^J). □ 

Notice that in the original bit commitment protocol the Receiver applies the swap test to |</>*)|0) 
and the output of (E/jj (g) l)(o"b)(?76 (8) 1) where o\, is the state sent during the protocol. Since is 
unitary, this is equivalent to applying the swap test between and the state \(pb) = (J7&® 1)|0*)|O), 
for whatever value of b the Sender has revealed. Viewed in this way, the receiver applies the swap 
test between cr& and one of two almost orthogonal states. Furthermore, these two states have the 
property that the reduced states on the space O have negligible fidelity. Notice also that the Sender 
may send one of two states a"o and o\ depending on the value that he wishes to reveal. Since we 
are interested in the sum of the probabilities that the Sender can successfully reveal both and 
1 in a given instance of the protocol, we may assume that the first message stays the same, i.e. 
that trg do = trg o~\ . This is exactly the condition in Lemma 14.61 with the exception that instead 
of the orthogonality of the states \<pi) we have only approximate orthogonality. We are able to 
overcome this obstacle with the following Lemma, the proof of which makes significant use of the 
fact that the trace norm can be written in terms of the projectors onto the positive and negative 
eigenspaces of a matrix. In particular, when applied to a Hermitian operator X the trace norm is 
given by tr(n + X) — tr(II_X), where LT + and IL are the projectors onto the positive and negative 
eigenspaces of X, respectively. This fact follows from the definition of the trace norm. 

Lemma 4.7. Let \<fio) , \<fii) £ A®B such that ||trg |^o)(^o| — t r s || tr > 2 — e. Then there 

exist states \4>q), |</4) £ A <8> B such that 

1. {^\(t>i}>l-e fori e {0,1}, 

2. trg |0q)(0 o I an d tTt3\4>i){4>i\ are orthogonal. 
Proof. For simplicity, let pi = trg \ 4>i)((j)i\. We have 

2 - e < ||po - Pilltr = tr IPo ~ Pi\= trII + (po - Pi) - tril_(p - Pi), (5) 

where IT + and n_ are the projectors onto the positive and negative eigenspaces of po — p\ respec- 
tively. Notice that 

tr(n +Po ) = tr(n+(p - Pl )) + tr(n+pi) > tr(n + (po - Pi)), 
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and similarly tr(II_pi) > — tr(II_(po — pi)), which implies that 

tr(n +Po ) + tr(n_pi) > tr(n + (p - Pi)) - tr(n_(p - Pi)) > 2 - e, 

by Equation ([5]). This implies that tr(II + po) > 1 — £ and tr(n_pi) > 1 — e. 

We introduce the states p\ given by the (renormalized) projection of po and p\ into the spaces 
spanned by II + and II_, respectively. Since these are orthogonal projectors the states p' and p' x 
are orthogonal. Notice also that 

|| Po - Po|| tr = tr |p -p'o| = tr(r + (/9 -p'o)) - tr(r_(/9 -p'o)) = 2tr (T+(p - p' )), 

where r + , T_ are the projectors onto the positive and negative eigenspaces of po — p' , and we have 
also used the fact that tr(po — p' ) = 0, which implies that the positive portion of po — p' Q has the 
same trace as the negative portion. Consider the positive eigenspace of po — p' Q . This is precisely 
the subspace spanned by the support of po that lies outside the support of p' , i.e. this is exactly 
the space spanned by the projector n_ = r+. Using this observation 

|| Po - PoL = 2tr(r+(p - Po)) = 2tr(n_p ) < 2e, (6) 

where we have used the fact that tr(n_/5o) = 1 — tr(n + /9o) < e. A similar argument establishes the 
fact that 

||pi-pi|| tr = 2tr(n+pi) <2e. (7) 

Finally, we note that Equations © and ([7|) and Uhlmann's theorem imply that there exist 
purifications \<P'q), \4>'i) € A® B of p' and p' x such that 

{<j>' i \<i H )=F{p' i ,p i )>l-E. 

This, combined with the orthogonality of p' and pi, completes the proof. □ 

This Lemma shows that we may replace the two states that are almost orthogonal with nearby 
states that have exactly the orthogonality property required by Lemma |4.6| which we can in turn 
use to show that the protocol repeated k times is statistically binding. To do so, notice that the 
two states |0o) anci which are given by applying the circuits Qo and Q\ to the state |^*)|0), 
satisfy 

II |0o><0o| - l&Willltr > l|trg(|^o)(0o| - |^l)(^l|)|| tr 

= ll((Q0-Ql)®I)(|^)(^l)lltr 

= || Qo — Qi No 

>2-p(n), 

These states are not orthogonal, but are nearly so. We may, however, use Lemma 14.71 to obtain 
\4>' ) and |(/>^) that have the orthogonality property required by Lemma 14.61 that have inner product 
at least 1 — p(n) with the original states |^o) and \<f>\), respectively. 

We now relate the probability that the state p passes our Test 0, i.e. the k swap tests with 
the state \4>o)® k to the probability that the same state p passes the k swap tests with the state 
|(/> )® fc (denoted by Test' 0). The difference of these probabilities is upper bounded by the trace 
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distance of the difference of the states \4>q) and \<pQ)^ k , since we can view the swap test with p 
as a measurement to distinguish these two states. This gives 



| Pr[p passes Test 0] - Pr[p passes Test' 0]| < (|0o)(^ol)® fc - (\<P'o) (<P'o\Y 

= 2^1-|(^|<Ao)| 2fc 

< 2^/l- (l-p(n)) 2k 

< 2^/2kp(n), 

where the final inequality is Bernoulli's inequality. Similarly we have 



tr 



I Pr[p passes Test 1] — Pr[p passes Test' 1]| < 2\j2kp(n) 
Hence, for the binding property of our scheme we have 

- (Pr[p passes Test 0] + Pr[p passes Test 1]) 



< - (Pr[p passes Test' 0] + Pr[p passes Test' 1]) + 2y / 2kp(n) 

since, for the Test' and Test' 1 we can use Lemma 14.61 for the perfect case. This quantity is 
negligibly larger than 1/2, as we may take k any polynomial and p is a negligible function. □ 

This proposition, when combined with Proposition 14.11 gives the main result of this section. 

Theorem 4.8. //QIP % QMA, then there exists a non-interactive auxiliary-input quantum (b s ,h c )- 
commitment scheme with quantum advice on an infinite set I. 

5 Quantum (6 C , /^-commitments unless QIP C QMA 

To obtain protocols that are computationally binding and statistically hiding, we use instances 
of the QlP-complete problem II to construct a (b c , /^-commitment scheme with quantum advice 
under the assumption that QIP ^ QMA. We start from pairs of circuits Qo,Qi £ Hy and the 
corresponding input states p° ', p 1 (see Definition 12. 8|) that will be given to the Sender as quantum 
advice. An honest Sender commits to b by sending half of p b to the Receiver. By definition of p°, p 1 , 
the protocol is statistically hiding (in fact it is perfectly hiding). During the reveal phase, the Sender 
sends the second half of p b . If II QMA, we show that this protocol is also computationally binding, 
using our notion of computationally unwitnessable superoperators. 

Theorem 5.1. If QIP % QMA, then there exists a non-interactive auxiliary-input quantum (b c ,h s )- 
commitment scheme with quantum advice on an infinite set I. 

Proof. Recall the Complete problem II = {Ily , IItv} from Definition ^. 81 with inputs the mixed-state 
circuits (Q°, Q 1 ) from Y){X ® y) to a single bit and n = \(Q°, Q )|. To show this Theorem, we use 
the following Lemma, the proof of which is very similar to the proof of Lemma 13.11 
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Lemma 5.2. If QIP % QMA, there exist two auxiliary-input superoperator ensembles {Q°}(QO,Q 1 )ei 
and {Q 1 }(QO,Qi) ( =/ that are quantum computationally unwitnessable on an infinite set I. 

Proof. Let us consider the set Hy and suppose for contradiction that the two auxiliary-input super- 
operator ensembles {Q /(Q^Q^env an< ^ {Q 1 }(Q°,Q 1 )eu Y are quantum computationally witnessable, 
i.e. there exist polynomials (s,k,p) such that for all (Q ,^ 1 ) £ Ily the superoperators Q° and Q 1 
are (s(n), /c(n),p(n))-witnessable. In other words, there exist polynomials (s,k,p) such that for all 
(Q^Q 1 ) £ there exist two input states p^p 1 £ L(Af (8> iV) such that first, there exists a state 
a £ L(W <8> <-t <8> 3-0 with |W| = k and tryy a = po, and there exists an admissible superoperator 
^ : L(W (g> A') -)• L(-Y) of size s, such that p 1 = (g) ly)(cr); and second 

\ (Pr[Q°(p°) = 1] + Pr[Q V) = 1]) > \ + ^ ■ 

Then, we provide a QMA protocol for the problem II. Merlin sends a (which is of size polynomial 
in the input, since k(n) = |W|) and the classical description of \& (of size s(n)). Arthur with 
probability 1/2 applies Q° on p° (which he obtains from a by discarding the space W) and accepts 
if he gets 1; and with probability 1/2 he first creates p 1 from \£ and a, then applies Q 1 on it and 
also accepts if he gets 1 . 
(Completeness) If (Q®,Q l ) £ Ily, we have 

Pr[Arthur accepts] = - (Pr[Q°(p°) = 1] + Pr^p 1 ) = ll) > - + —— 
2 2 p(n) 

(Soundness) If (Q°, Q 1 ) £ Iljv, then for any cheating Merlin, Arthur receives a state p®, from which 
he constructs (with half probability) a state pi each in space X (g> y such that tvx p® = tix pi . By 
the definition of ILv, we have 

Pr[Arthur accepts] = X - (Pr[Q°(p°) = 1] + PrfQ 1 ^) = 1]) < X - + p(n) 

We have an inverse polynomial gap between completeness and soundness and hence we conclude 
that II £ QMA. This proves that there is a nonempty / that satisfies the property of our Lemma. 
Note that if / is finite, then by hard-wiring this finite number of instances into the QMA verifier 
(who always accepts these instances), we have again that QIP C QMA. So if QIP % QMA then the 
set / can be taken to be infinite. □ 

To finish the proof of the Theorem, we now need to show the following. 

Lemma 5.3. Auxiliary-input superoperator ensembles {Q }(go,Qi)g/ and {Q 1 }(Qo j Qi)e/ that are 
quantum computationally unwitnessable on an infinite set I C Ily imply a non-interactive quantum 
(b c , h s )- commitment scheme with quantum advice on I. 

Proof. Commitment scheme Each (Q ,^ 1 ) £ / C Ily gives the following scheme 

• Let n = \(Q°, Q 1 )! be the security parameter. The sender receives as advice p°, p 1 £ X 1 y l 
such that ti x p° = ti x P 1 and \ (Pr[Q°(p°) = 1] + Pi[Q 1 (p 1 ) = 1]) > 1 - p(n). For consis- 
tency with our definitions, we also suppose that the Receiver gets a copy of p^p 1 . These 
states will not be used in the honest case and they will not harm the security for a cheating 
Receiver. 
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• (Commit phase) To commit to b, the Sender sends the state in y b to the Receiver. 

• (Reveal phase) To reveal b, the Sender sends the state in X b . The Receiver applies Q b on the 
space X b ® y b and accepts if he gets 1. 

Statistical hiding property: The states that the receiver gets in the commit phase satisfy tr^- p° = 
tlx p 1 and hence our scheme is perfectly hiding. 

Computationally binding property: The property follows from the fact that the two auxiliary- input 
superoperator ensembles {Q }(Q0Qi) e j and {Q 1 }(QO Qi) g / are quantum computationally unwitness- 
able. Fix (Q ,^ 1 ) G I with | (Q°, Q 1 ) | = n. After the reveal phase, the Receiver has p b in space 
X ® y, where b is the revealed bit. Since we consider dishonest senders S?q that are quantum 

polynomial time machines with quantum advice, the states and pi satisfy property [2] of Defini- 
tion [2TT6J Thus, for all but finitely many (Q^jQ 1 ) 6 I they do not have property Q] of Definition 
I2T61 Then, for such (Q ,^ 1 ) G / we have 

P ^ Q o iQ i) = 2 ( Pr ^(Q°,Q 1 ) reveals 6 = °] + Pr [ 5 (Q0,Qi) reveals b = !] 
= \ (Pr[Qo(p°) = 1] + PrlQiU) = 1]) < 5 + 

for all polynomials p □ 

From the above two Lemmas, unless QIP C QMA there exists a non-interactive auxiliary- input 
quantum (b c , /^-commitment scheme with quantum advice on infinite set /. □ 

This result, combined with Theorem 14.81 completes the proof of Theorem 11.31 



6 Quantum Oracle Relative to Which QSZK HV % QCMA 

In order to prove the desired result we find a problem in QSZKhv and prove a black-box lower 
bound in the QCMA model. We end up with a quantum oracle, as the constructed problem makes 
essential use of quantum information. This approach is due to Aaronson and Kuperberg 0|, who 
prove a similar result for QMA versus QCMA. The argument given here is related to the argument 
of Aaronson and Kuperberg, both in structure and in the fact that we make use of a bound on 
the expected overlap of a state drawn from a p-uniform distribution with a fixed state. The main 
difference is that in the problem we consider we need to extend the proof to the case where it is 
a unitary operator that is hidden inside the oracle, not a pure state. Note that subsequent to the 
completion of this work, Aaronson has shown the stronger result that there is an oracle relative to 
which SZK % QMA Q. 

For our result we consider a black-box that takes as input a control qubit, chooses a random 
pure state \tp) and applies a fixed but hidden d by d unitary U to half of controlled by the 
input qubit. The hidden unitary U can be inverted by a QSZK prover, but in the QCMA model, 
the Verifier cannot invert U and recover the input with making an exponential number of queries 
to the black-box. We prove a lower bound on the number of queries needed by a QCMA Verifier to 
distinguish this black-box from one that simply generates random pure states. 

Theorem 11.21 There exists a quantum oracle A such that QSZKjj v % QCMA" 4 . 
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6.1 Background 

Before proving the oracle result we review some background on measures on quantum states and 
channels that will be used in the proof. 

Let U("H) be the group of unitary matrices acting on a Hilbert space %. When no confusion 
is likely to arise, we will also use the notation U(d), where d\m% = d. The set of pure states 
on H, i.e. the unit sphere in H, is given by S(%) or S d ~ l . We refer to d-dimensional spaces for 
convenience: in general d = 2 n for some space of n qubits. 

Throughout this section, the uniform measure on states and unitaries is given by the Haar 
measure. In the case of unitaries, we use //u^H) to denote the Haar measure on the unitaries on T~L, 
that is, the unique left and right invariant measure normalized so that //u(-h)(U (H)) = 1. When 
the space in question is clear we will drop the subscript and use only fi to refer to this measure. 
The Haar measure on S(H) can be obtained by applying a random U G U(%) to a fixed pure state 
(the invariance of the Haar measure implies that the choice of the fixed state does not matter). We 
will use Hs(H) to refer to this measure. 

Essential to our argument is the notion of a probability measure that is nearly uniform. Follow- 
ing Aaronson and Kuperberg 0], given a measure a we say that it is p-uniform if pa < fj,, where [i 
is the uniform measure over the space in question. This notion is directly related to the class QCMA 
by the fact that if the verifier starts with a uniform measure and conditions on a m-bit classical 
message, the result is a (2~ m )-uniform measure. The main technical result of this section will be 
to show that such a measure over U(<i) does not help the verifier identify a particular unitary, 
unless m G Q(d). This result follows by a reduction to the pure state case, which is the key to the 
quantum oracle that separates QMA and QCMA 0]. 

Before doing this, we highlight two straightforward properties of p-uniform measures on U(d) 
and S* -1 . 

Proposition 6.1. Let a be a p-uniform measure on TJ(d). 

1. For any U G U((i) the measure Ua remains p-uniform. 

2. For any \ip) G S d_1 , the measure r on S rf_1 given by 

t(A) = a{{U : U\ip) G A}) 

is p-uniform. 

Proof. The left-invariance of fJ,\j(d) gives the first property, since for any A C XJ(d), 

p(Ua){A) = pcr(U^A) < fi{U^A) = n{A). 
The second property follows from the definition of ^s d - 1 ^ 

pr(A)=pa({U : U\^) G A}) < n u{d) ({U : U\^) G A}) = fi sd -i(A). 
where right-invariance of /iu(d) implies that the choice of does not matter. □ 
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6.2 Oracle Separation 

We now define our problem. 

Problem 6.2. Given a quantum oracle O: A — > A®'H®K., where dim% = dim/C = d and 
dim .A = 2. The problem is to decide between the two cases 

1. there exists a unitary U G U('H) such that the oracle O performs the map 

a\0) + /3\1) ^ -=( |q| 2 |0)(0| ® 1 H ® K + a/9|0)(l| ® ® l,c 

+ a/3|l)(0| ® ® 1* + |/3| 2 |1)(1| 1^)- 

T7us map can be implemented in the following way: the oracle chooses a pure state S 
H ® IC from the Haar measure and then performs the map 

a\0)+P\l) ^a|0)|^)+/3|l)(Z7®l K )|V). 

the oracle O preforms the map 

a|0) + I3\l) ^ i (|a| 2 |0)(0| ® l m ic + |/3| 2 |1)<1| ® 1^) • 

for example by measuring the input qubit and appending the maximally mixed state. 

We denned the oracles as superoperators, but one can think of them as unitaries in larger spaces. 
The key idea is that in the first case the coherence of the input qubit can be recovered, provided 
the hidden unitary U can be inverted, whereas in the second case this coherence is irretrievably 
lost. The prover in a QSZK protocol, given only the portion of the state in the space H and a copy 
of the input qubit, is able to apply U* in order to disentangle the input space from %®K.. To 
prove a lower bound on this problem, we argue that with at most a small amount of knowledge 
about the hidden operator U, an oracle of the first type appears much the same as an oracle of the 
second type. 

Before proving this lower bound, we give an interactive protocol for the problem. The idea 
behind the protocol is that when the input to the oracle is one half of a maximally entangled state 
then in the first case a prover is able to assist the verifier in recovering the original input state, but 
in the second case no action of the prover can recover the state. 

Protocol 6.3. Let O be the oracle in Problem \6.2l 

1. V , prepares the state \<p + ) = (|00) + \ll))/V2 G B ® A, and uses as input to the oracle O the 
portion of the state in A. V then sends the state in A®T~L to P. 

2. P applies the unitary U* on % controlled on the qubit in A. 

3. V receives a state from P in the space A®% and measures the operator \<p + ){(j) + \ on the 
space B ® A, accepting if and only if the outcome is one. 

In the following theorem we prove the completeness and soundness of Protocol 16.31 The fact 
that it is also zero- knowledge is argued as part of the proof of Theorem 11.21 
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Theorem 6.4. Let V be the verifier in Protocol \6.3[ 

1. If the oracle is of typeUl there is a prover P that causes V to accept with certainty. 

2. If the oracle is of type\^ then for any P, V accepts with probability at most 1/2. 

Proof. To prove completeness (item Q]) , notice that when the oracle is of type [TJ the state of the 
verifier before sending the message to the prover is 

^2 [|00)(00| ® 1 H ®K + |00)(11| ® trt ® 1 K + |11)(00| ® u® t K + |ii)(n| 8) iW- 

If the honest prover applies Z/t on the space H, controlled on the qubit in A, the state of the verifier 
at the start of Step [3] is 



2^(|00><00| + |00)(11| + |11)(00| + |11)(11|) ® t H ®K = 8) ^ 



and so the projective measurement on A®B given by — |(/> + )((^> + |} always results in 

the first outcome. This implies that the verifier can always be made to accept an oracle of type [TJ 
To prove soundness (item [2]) we show that the verifier rejects an oracle of type[2jwith probability 
at least 1/2, regardless of the strategy of the prover. In this case the state of the verifier before 
sending the message is given by the mixture 

^2 (|oo)(oo| ® l nsK + |11}(11| ® t H ® K ) . 

After the prover applies an arbitrary transformation to A <8> T-L, the result is 

— (|0>(0| ® p ® 1 K + |1)(1| ® pi ® 1 K ) 

for some mixed states po,Pi on A&H. The probability that the verifier's measurement results in 
the outcome \4> + )((p + \ on this state is given by 

^ tr (|0> <0| ® po ® 1 K + |1)(1| 55 pi ® Ix:)] = ^ «0|po|0> + (l|pi|l)) < \, 

which implies that the verifier accepts with probability at most 1/2 when O is of type[2j In fact, 
the best strategy for a cheating prover is not to change the control bit in A at all. □ 

A central component of the argument that a QCMA verifier cannot identify a pure state hidden 
in an oracle is a geometric bound on the expected overlap between any fixed state and a state 
drawn from a ^-uniform distribution. 

Lemma 6.5 (Aaronson and Kuperberg 0]). For any p-uniform measure a on S d_1 and any state 

Our argument requires a similar geometric bound, except that we have a p-uniform measure 
over unitaries and not the pure states. We obtain a reduction from U(d) to S d_1 , which allows us 
to extend the bound in Lemma 16.51 
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Lemma 6.6. If a is a p -uniform measure on ~U(d), then 



E U 


, e0 ( 




tr 



£OfV d(l + log 1/p) 



Proof. Let a be an arbitrary p-uniform measure, then 



E [U] 



= max 

tr VGU(d) 



tr E \U]V 

U£a 



max 
veu(d) 



E [trt/V] 
uea L 1 



max 
veu(d) 



E [tr U] 

U€aV 



Notice however that the measure aV is p-uniform whenever a is, and so by Proposition 16 . 1 1 we may, 
since a is arbitrary, discard the maximization over V. Doing so, the desired quantity is 



E ixU 

U&a 



< E \trU\ = E 2l(#)l=E, ,f K#i>l» 

2=1 



(8) 



where for each i, Tj is the p-uniform measure on S d_1 obtained by applying a cr-distributed unitary 
[/ to the state \i). Having reduced the problem to an expectation over a p-uniform measure on 
pure states, we apply the bound in Lemma [631 to Equation (|8|) to get 



E [U] 
uea L J 



< 



1± ^ E ) = O ( + log 1/P) 



as in the statement of the Lemma. 



□ 



Theorem 6.7. Any QCMA protocol for problem \ 6.2\ with an m-bit witness uses 0(y d/ (m + 1)) 
calls to the oracle. 

Proof. Consider any QCMA protocol with any m-bit witness. We will show that this protocol 
requires at least f2(-v/d/ (m + 1)) calls to the oracle to determine whether it is an oracle of the first 
or second type. 

We use the hybrid approach of Bennet et al. 0]. Let po be the initial state of the algorithm. Let 
Pi be the state of the algorithm immediately after the ith call to an oracle of type [2j After T calls 
to such an oracle, we denote the final state of the algorithm (before the measurement of whether 
or not to accept) as px- In the case that the algorithm is run on an oracle of type 1, we denote the 
final state by £t- Our goal is to show that the distance between px and £t is small, unless T, the 
number of oracle calls, is sufficiently large. We will do this by considering running the algorithm 
for (i — 1) queries on an oracle of type [2] and then switching the oracle to type [TJ We denote the 
state obtained in this way by p\. We prove that this state is very close to the state pi, which will 
give the desired result, since ||£r — Pr\\ tT < J2i=i \\Pi ~ /°illtr ^ triangle inequality. 

Let \u) = a\0) + /3|1) and let v = \u){v\ be the input to the (k + l)st call to the oracle, after 
the algorithm has been run for k queries to an oracle of type 2. Strictly speaking, v may be mixed 
state, but a convexity argument implies that a pure input state will maximize the distance between 
the output states of the two oracles. The output of the O2 on the pure state v is the mixed state 



a 



|0)(0|®1^ + |/3| 2 |1)(1|®1^). 



(9) 
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u, 



l«®jc + a/9|0)(l| Ot^iSlK + tt/eUXOl ®£/®l,c + |/3| 2 |l)(l| 81 



The output of the oracle Oi, for a fixed hidden unitary U, is 
1 

However, since this is the first query the algorithm has made to the oracle 0\, it has no information 
about the hidden unitary U, except the m-bit classical message from the QCMA prover. This 
information constrains the unitary U to a 2~ m -uniform distribution a, so that the output of oracle 
Oi can be represented by the mixture of the previous equation over all U G a, which is 



Oi(iz) 



E [(%(*)] 

U Gcr 



(10) 



One way to think about this, is that the oracle 0\ has another space which is initialized to be a 
uniform superposition of descriptions of all possible unitaries. Then the oracle uses this register 
clS cl control in order to apply the mapping Of. The classical QCMA message could be thought 
of as an outcome to a partial measurement on this register, which resulted in the collapse of the 
uniform superposition to ap-uniform superposition of the unitaries consistent with the measurement 
outcome. The verifier's view can be calculated by tracing out this register. 

The remaining task is to compute the diamond norm of the difference of Equations © and (HOD , 
which will measure the maximum probability that any measurement can distinguish whether or 
not a single call to the oracle 0\ has been replaced by a call to O2. 



101(f) -02(f)! 
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We then use the fact that |||0)(1| <g> + |1)(0| <8>^|| tr = 2||vl|| tr (see @, Section III] for the 
relationship between the eigenvalues of an operator of this form and the singular values of A). This 
implies that 



\\Oi(u) 

Finally, since a is a 2~ 
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uniform measure on U(d) we apply Lemma 16.61 to obtain 



\0 1 (u)-0 2 (v)\\ tt €0 



1 + m 



d 



(11) 



This equation bounds the trace distance of the output states of the two oracles. The maximum 
distance between the states pi and p\ is upper bounded by the diamond norm, which takes into 
account the fact that the algorithm may use an ancillary space to better distinguish the two 
oracles. Using the fact that the diamond norm of the difference of two channels is achieved by 
a pure quantum state [2^], we have shown that there exists some pure state v such that for all 

ie{i,...,T} 



* lltr 



< || Oi - 2 L < 2 \\O x {y) - 2 (z/)|L e oU(\ + m)/d) , 



where we have used Lemma [2. 2 1 to upper bound the diamond norm by the trace norm. The triangle 
inequality implies that replacing all T calls to 0\ with calls to O2 results in states pr and with 
trace distance 

T 

II PT - Crlltr < E \\f>i ~ Pi lltr G (zV(l + m)/d) • 
1=1 
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This implies that in order for a black-box algorithm to distinguish 0\ and O2 with constant prob- 
ability it is required to make T = Vt{y/d/ (1 + m)) calls to the oracle. □ 



We now use Protocol 16.31 and the lower bound in Theorem 16.71 to obtain an oracle relative to 
which QSZK is not contained in QCMA. The proof of this follows very closely the argument of 
Aaronson and Kuperberg who establish an oracle relative to which QMA is not in QCMA. 

Strictly speaking, we find a quantum oracle A such that QSZKjjy <2 QCMA" 4 , i.e. we deal only 
with the honest verifier case. While it is known that QSZKhv = QSZK we do not know if this 
is still the case given access to the oracle A. 

Theorem 11.21 There exists a quantum oracle A such that QSZK^y % QCMA" 4 

Proof. Let L be a random unary language that we will use to define the oracle A = {A n }. For each 
n, A n takes 2n qubits as input (so that d = 2 n in Problem I6.2p . For each n there are two cases. If 
l n 6 L then A n is an oracle of type [1] in Problem 16.21 i.e. A n implements some hidden unitary U 
on half of the input qubits. On the other hand, if l n L, then A n is of type[2j 

We use Theorem 16.41 to give an honest-verifier QSZK protocol for L, given access to the oracle 
A. For a given input l n , the Verifier first runs protocol 16.31 to determine the type of the oracle. The 
verifier accepts that l n G L if and only if this protocol accepts. The completeness and soundness of 
the protocol have already been shown. Last, it is easy to show that the protocol is zero knowledge 
for the honest verifier. The state of the verifier after Step Q] can be simulated by the simulator, 
since it has at its disposal both the honest verifier and the oracle. After the prover's message, in 
the 'yes' case, the state is equal to 

which can also be easily simulated, and so the protocol is (honest-verifier) zero-knowledge. This 
implies that L £ QSZKjjy 

We then use the lower bound in Theorem 16.71 to show that L QCMA" 4 , with probability one 
(over the choice of L and the hidden unitary U in the oracle). This portion of the proof is identical 
to the proof in 0], but for clarity we repeat it here. Fix M an arbitrary QCMA verifier and let 
SM(n) represent the event that the verifier M succeeds on the input l n , i.e. either 1" 6 L and 
there exists a witness string w such that M A accepts with probability at least 2/3, or 1™ L and 
no witness w causes M to accept with probability larger than 1/3. Theorem 16.71 implies that M 
fails for large enough n, i.e. that for some it holds that for all n > N 

Pr v [S M (n)\S M (l),...,S M (n-l)}<^. 

This implies that the probability that M works on all n is 0, i.e. 

Pr[SW(l) A S M (2) ...]=0. 

L,V 

Finally, since there are only a countably infinite number of QCMA verifiers (by the Solovay-Kitaev 
Theorem [3]), the union bound implies that with probability one we have L QCMA. □ 
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